Are PDFs Safe? How PDF Malware Actually Works in 2026
PDF has a reputation as "the safe file format." You can't run a PDF the way you can run an .exe, so people send them around with less caution than they'd send an executable. Your bank emails you PDF statements. Your accountant sends you PDF tax forms. The invoice, the boarding pass, the e-ticket, the rental agreement, all PDFs.
That reputation is mostly deserved, but it has edges. The PDF format is more capable than most people realise, which means a carefully-crafted PDF can do things users don't expect. And in 2026, by far the most common "PDF attack" doesn't need the PDF to do anything sophisticated at all, it just needs you to click a link inside.
This post is a companion to Which File Types Are Safe to Download. That one skimmed PDFs as "medium risk." This one goes into why, what the actual attack patterns look like, and how to handle PDFs without being paranoid about every attachment.
What a PDF actually is
A PDF (Portable Document Format) is a container. Its job is to render a document identically on any device, which means it has to bundle fonts, images, layout instructions, and interactive elements into a single file. That ambition is both its strength and its security problem, the PDF specification is large, and parsing it correctly is genuinely difficult.
Beyond rendering text and images, the full PDF specification supports:
- JavaScript execution, yes, PDFs can run scripts. Originally for form validation and interactive features.
- Embedded files, a PDF can contain other files (including executables) that the viewer can offer to extract.
- /Launch actions, an internal action type that can instruct the viewer to open an external file or URL.
- Form submissions, PDFs can include forms that POST their data to a URL.
- Dynamic content, XFA forms, embedded SWF (historically), 3D content.
Most of these features are rarely used in the documents you actually receive, but they exist in the specification and are honoured by fully-featured viewers. This is the core of PDF risk: the format supports more than most documents need.
The four main attack patterns
1. JavaScript exploiting a viewer vulnerability
The classic PDF attack. A PDF contains carefully-crafted JavaScript that exploits a bug in the PDF viewer to execute code outside the viewer's sandbox. Every major PDF viewer has had vulnerabilities of this kind at some point, and targeted campaigns often chain multiple exploits together to reach arbitrary code execution.
Mitigation in 2026: Adobe Acrobat, Foxit, and similar viewers now run with significantly stronger sandboxing than they did five years ago. Keeping your viewer current is the single most important defence, most attack campaigns target known, patched vulnerabilities because enough users remain unpatched for the exploit to still pay off.
2. Embedded file (drop and prompt)
The PDF contains an executable or script as an embedded file. When the user opens the PDF, it either auto-extracts the file (older viewers) or shows a prompt asking the user to open the attachment. The file extension often includes unicode trickery, spaces, zero-width characters, right-to-left overrides, to look harmless while actually being executable.
Modern defence: mainstream viewers now block execution of embedded executables without explicit user consent, and several file types are blocked outright. Browser viewers typically ignore embedded files altogether.
3. /Launch action (legacy vector)
An internal PDF action type that instructs the viewer to open an external file or URL. Historically this could be used to silently execute commands, the PDF would ship with an embedded payload and use /Launch to start it. Severely exploited throughout the 2010s, with both Adobe and Microsoft repeatedly issuing patches and policy tightening.
Status in 2026: /Launch actions are heavily restricted in every mainstream viewer. Adobe Acrobat disabled the ability to launch arbitrary executables by default over a decade ago. Browser viewers have never supported it.
4. Phishing-via-PDF (the dominant vector in 2026)
Not a PDF exploit at all, a social-engineering attack that uses a PDF as the delivery vehicle. The PDF itself is harmless: it's a one-page document showing what looks like a legitimate invoice, shipping notice, shared document, or HR form. Inside the document is a prominent clickable link or "button", "Click here to view document", "Open in DocuSign", "Verify your account".
The link goes to a phishing page. When the victim clicks, they're taken to a fake login page and asked to authenticate. The PDF never runs any code. Antivirus scans the PDF clean. The email gateway lets it through because it's a PDF and nothing in the file is detectable.
Why this works: PDFs are commonly sent as image-rendered documents. Text-based email filters can't see the link target because it's embedded in what appears to be an image. The whole PDF can be one page with a "View document" button that links to a phishing URL, and most spam filtering doesn't catch it.
Why browser PDF viewers are meaningfully safer
Chrome, Firefox, Safari, and Edge all include built-in PDF viewers that render PDFs without most of the risky features. Specifically:
- They do not execute PDF JavaScript.
- They do not prompt to open embedded files.
- They do not honour /Launch actions.
- They render PDFs in the same sandbox as the browser, which is among the most hardened sandboxes on modern desktop systems.
The trade-off is that some legitimate PDF features don't work, interactive forms might not submit correctly, digital signatures might display differently, some complex layouts render imperfectly. For 90% of PDFs the trade-off is invisible; for the remaining 10%, you can open the file in a full reader after previewing it in the browser first.
That "preview first" habit is a genuinely good defence. Open every PDF from an unexpected source in the browser first. If it's what you expected (a real invoice, a real form, a real document), you can decide whether to open it in a fuller viewer. If it's not what you expected, a fake DocuSign page, a PDF pretending to be a password-protected document you need to authenticate to view, you've identified the phishing attempt without executing anything.
When a "clean" PDF is still worth worrying about
A PDF that scans clean on every engine can still be dangerous if:
- It came from an unexpected source claiming to be a shared document, invoice, or receipt. Legitimate business communication rarely arrives as a surprise PDF from a sender you don't know.
- It contains a prominent "open document" or "verify account" link. The PDF itself is clean; the URL it links to may not be. Don't click.
- It's password-protected and the password is in the email body. This is a common technique used to evade gateway scanning, the scanner can't read the encrypted contents, so it passes the file through as unscannable. Once the user decrypts, the payload (usually a phishing link or an embedded exploit) is fully active.
- It renders as a single image of text rather than containing selectable text. Image-only PDFs are suspicious by default in business contexts, they exist largely to evade text-based filtering.
Practical rules of thumb
- Open unknown PDFs in your browser first. This alone blocks the majority of PDF-based exploit attempts.
- Keep your PDF reader updated. If you use Adobe Acrobat, Foxit, or another full reader, auto-updates should be on. The most exploited vulnerabilities are patched ones being used against unpatched users.
- Treat links inside PDFs the same as links in emails. A "Click to view" button inside a PDF is just a link. Hover to see where it actually goes, and scan the URL if you have any doubt.
- Never enter credentials via a PDF prompt. Real services don't ask you to log in through a PDF, they send a link to their website. A PDF that itself contains a login form, or that opens a browser window that looks like a login, is almost always phishing.
- Scan PDFs you receive from unexpected sources. Free multi-engine scanning services exist specifically for this. A clean scan isn't a guarantee, but a flagged scan is a very strong signal.
The honest summary
PDFs are safer than executables, but not safe enough to be immune to attention. The format supports more capabilities than it needs to, and attackers use both the capabilities (JavaScript, embedded files, /Launch) and the appearance of safety (phishing-via-PDF) to reach victims.
The practical defence is not to fear PDFs, but to handle them thoughtfully: open in a browser viewer first, keep readers updated, verify unexpected attachments through a different channel, and treat links inside PDFs as exactly as trustworthy as links in emails, which is to say, verified before clicked.
Do that, and PDFs remain what they've always been: a very useful document format that's almost always exactly what it looks like.